Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration
|
|
- Lee Fields
- 6 years ago
- Views:
Transcription
1 Statement Comments by the electrical industry on the EU Cybersecurity Act manufacturer s declaration industrial security Cybersecurity Quality basis security LED-Modul Statement P January 2018 German Electrical and Electronic Manufacturers Association
2 Summary Further key points This document provides insights of the German Electrical and Electronic Manufacturers Association and its 1,600 member companies on the draft EU Cybersecurity Act published in September Advice is given on the further constructive development of the draft regulation currently discussed by the Council of Ministers, the European Parliament and the EU. It is important to ensure that the regulation is implemented in a way that is suitable for industry and promotes innovation in the same time. It is crucial for the ZVEI member companies that: priority is given to international harmonised standards; industry participation and manufactures ownership are strengthened; third party certification cannot serve as a substitute for trust; the design of a conformity and certification framework will be developed further; mandates regarding necessity and scope for conformity and certification schemes are based on clear, comprehensible criteria. Cybersecurity Act raises tensions with the existing EU legal system: With the New Legislative Framework (NLF), the has established a universal and wellestablished system for the regulation of products and their placement on the EU market. The Cybersecurity Act incomprehensibly re-engineers product requirements and market surveillance regulations in an entirely separate and incompatible way. Taking WTO aspects into consideration: It would run counter to the objectives of the WTO-TBT agreement if an EU certification scheme were to become a de facto market access requirement in spite of its voluntary nature, without having to be based on international standards and conformity assessment schemes. Harmonisation with no third-party obligations: The EU s objective in drafting a Cybersecurity Act to create uniform regulations for cybersecurity across Europe is both valid and important. The electrical industry expressly welcomes the intention to counteract fragmented certification schemes based on the principle of one certification, EU-wide recognition. These measures strengthen the European (digital) internal market and contribute to the free flows of data and goods. However, this concern should not be used to de facto mandatorily extend third-party certification to all product and market sectors as a substitute for trust. Priority of the New Legislative Framework: The Cybersecurity Act will set requirements for products via a certification scheme (see Part 3, Article 47). By referring to products, the Act affects the area of product regulation - without taking into account the previously agreed and established procedures of the European market regulation. The reasoning that the underlying framework is a voluntary instrument in itself cannot, from the electrical industry s point of view, be a basis for disregarding the principles and procedures of the New Legislative Framework (NLF). If requirements are to be placed on products in a direct or indirect form, the ZVEI considers this to be done primarily within the framework of the NLF and based on a risk assessment approach. To ensure an appropriate level of security against cyber-attacks under the New Legislative Framework (NLF), the respective legislation needs to be amended with concrete requirements. Such an approach ensures the following key principles: 2
3 Observance of international norms and standards Flexible adapting of requirements via standardisation Flexibility for horizontal and vertical requirements Established and accepted conformity assessment system High acceptance by providers and users Ensuring a level playing field for manufacturers and importers Regulated procedures and competencies for market surveillance authorities The danger of cross-references and double regulation: The electrical industry believes there is a risk of serious complications. According to Art. 48 (2), other EU regulations may refer to individual, originally voluntary certification systems that were created within the new framework and thus render them binding. This would instantly give the systems a product regulatory status, even though these systems were not designed according to NLF procedures. This concern is corroborated by current considerations to introduce delegated legal acts with product requirements for cybersecurity under the Radio Equipment Directive 2014/53/EU (RED) Art. 3 (3). If product regulation for security is required, this should be done based on a comprehensive risk assessment and in accordance with the principles of the NLF. This provides all the essential tools and procedures, including conformity assessment and monitoring in the marketplace and, where applicable, the possibility of third party certification. Inadequate industrial participation: The Cybersecurity Act needs a firm and lasting inclusion of market and customer insight as well as technical expertise about product development from companies in the application and manufacturing sectors. Otherwise, there is an imminent risk that the certification schemes may be in conflict with key customer and market requirements. This would be likely to result in the failure of the EU framework. The current reference to industrial participation (Title 3, Article 44 (2)) is insufficient. The Eco-Design Directive (2009/125/EC) provides a good template for a structured and effective process of consultation. Clear assessment criteria for initiation: On the basis of Art. 44 (1) of the Cybersecurity Act, it is not clear in any way what criteria should be used to determine the need for, requirements and scope of a new certification schemes. Based on a catalogue of criteria, the checklist procedure should be used by the to examine potential existing schemes, as well as the need for, the benefits and the foreseeable consequences of a new scheme. The criteria have to be worked on together with the industry in order to be able to depict general conditions such as market dynamics, technological developments, risk changes and international standardisation and norms. Only when the criteria have been assessed positively should the question of whether a new European certification system is applicable and its scope be determined. The s current sweeping right of initiative under Article 44 (1) is insufficient from the electrical industry s point of view. Process-related separation of content from conformity assessment: The Cybersecurity Act combines the determination of the levels of trustworthiness and testing depth (Art. 46), the contextual requirements and elements (Art. 47) as well as the type of conformity assessment (Article 48, solely by means of certification) into one process. This creates a mixture of mutually independent parameters. The determination of appropriate conformity assessment procedures (from manufacturer s self- 3
4 declaration to third party certification) only makes sense when the scope of application, protection objectives, risk enviroment, as well as customers and market requirements have been clarified (own responsibility of the manufacturer s declaration of conformity or certification by a third party). The definition of the what (Art ) should therefore be separated from the assessment of the how (Art. 48 in an adapted form) in a procedural manner and determined in close coordination with all relevant stakeholders. Name modification: The existing naming of the elements of the European certification framework already necessitates a commitment to third-party certification. As described above, the framework should also include the established and proven possibilities of conformity assessment as defined and available in NLF Decision 768/2008/EC with Modules A to H. The necessary additions to the content should be reflected in the naming. Therefore, the ZVEI is suggesting a change in the name: Conformity and Certification Framework Conformity and Certification Scheme Conformity and Certification Group Strengthening manufacturers ownership: Certified products and applications are not necessarily more secure or trustworthy than non-certified products. A certification corresponds to a test made according to pre-defined rules and requirements at a specific time. This means that dynamic changes in the cybersecurity environment and parameters not provided for in the test procedures cannot be detected by a certification of a prototype. On the other hand, the manufacturer self-declaration procedure enables a prompt and flexible reaction to changing conditions and can also provide the relevant information on cybersecurity. When combined with strong market surveillance, it ensures the provision of binding, reliable and legally effective information. It can therefore achieve at least the same degree of transparency and trust as certification but above all fulfilment of technical requirements -for the end customer. By basing their evaluation and manufacturer s declaration on a risk based approach, companies can define the appropriate protection level for the entire product life cycle. Not every product has to be protected with high security. Of course, wherever life or health depends on the products and solutions, there certainly must be other requirements than, for example, in the consumer goods sector. Here, third-party-certification can be useful if not already in place. Strengthening market surveillance: Experience has shown that any system (whether voluntary, harmonised or regulated) without strong market surveillance cannot succeed. Market surveillance creates a level playing field and ensures the reliability of the information provided on the market (e. g. manufacturer s declarations). To ensure effective evaluation of cybersecurity of products, market surveillance authorities need significantly more resources, meaning more budget and staff. Evaluating cybersecurity requires comprehensive and deep knowledge as well as effective testing procedures. Member states need to make sure that effective market surveillance procedure are established. Unlike the NLF, the Cybersecurity Act does not currently provide a strong role for market surveillance and relies primarily on the activities of the conformity assessment bodies as third parties. In most cases, however, it will only be able to take appropriate action against misuse and violations of the law in a limited or even ineffective manner. Taking the different user competences into consideration: In general, no security knowledge can be assumed in private end users. In industrial environments, operators and users bear defined responsibilities and possess the necessary expertise. This fact should be taken more into account by the Cybersecurity Act when selecting and designing a certification system. 4
5 Reviewing flexibility: With the ever-changing implications for security and the wide range of options available to meet them, product certification is approaching its limits. If this occurs, the certification of a system appears to be preferable (see Quality Management). Adaptation of the process model Existing process model in draft for the Cybersecurity Framework: Consults Industry & Standardization Bodies European Requests to prepare a Candidate Scheme Prepares candidate scheme Transmits candidate scheme to the European European Adopts Scheme Implementation via Delegated Acts A European Cybersecurity Certification Scheme ECCCG Advises and assists with preparation Proposal for an adapted process model: Consults Industry & Standardization Bodies Consults Industry & Standardization Bodies Clarification IF Clarification What Art Art. 47 Clarification How Art. 48 Conformity and/or Certification Criteria Catalog or Checklist European Requests to prepare a Candidate Scheme Prepares candidate scheme Definition Assurance Level and Elements Transmits candidate scheme to the European European Definition Procedure of Conformity Adopts Scheme A European Cybersecurity Conformity and Certification Scheme ECCCG ECCCG Advises and assists with preparation Advises and assists preparation 5
6 Recommendations on how to adapt the text Basis: Proposal for a Regulation of the European Parliament and of the Council on, the EU Cybersecurity Agency (Cybersecurity Act) from (COM(2017) 477 final) Notice: The following table only contains amendments for the implementation of the ZVEI core requirements. In terms of the consistency and plausibility of the text, this results in continuous changes to the entire documents, which are not listed here separately. The entire text must always be checked for consistency with the proposed text adaptations and modified if necessary. Section Current text wording Recommendation Art. 43 Revised Art. 44 (1) A European cybersecurity certification scheme shall attest that the ICT products and services that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems A European cybersecurity conformity and certification scheme shall attest that the ICT development and maintenance processes that have been certified in accordance with such scheme comply with specified requirements as regards their ability to resist at a given level of assurance, actions that aim to compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems The proves the necessity, relevance, usefulness, scope, and impact of a possible scheme based on commonly agreed on criteria. Possible criteria are: if all the following criteria are fulfilled: a) There is a relevant information gap between the provider and the buyer of the product or service. b) The information gap cannot be remedied by agreements and voluntary actions of the private market players. c) The candidate European cybersecurity attestation scheme is suitable to remedy the information gap. Art. 44 (1) Following a request from the, shall prepare a candidate European cybersecurity certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Certification Group (the 'Group') established under Article 53 may propose the preparation of a candidate European cybersecurity certification scheme to the. After a positive evaluation of the criteria, the issues a request to. Following the request from the, shall prepare a candidate European cybersecurity conformity and certification scheme which meets the requirements set out in Articles 45, 46 and 47 of this Regulation. Member States or the European Cybersecurity Conformity and Certification Group (the Group ) established under Article 53 may propose the preparation of a candidate European cybersecurity Conformity and Certification scheme to the. 6
7 Art. 44 (2) Art. 44 (4) Art. 47 (b) When preparing candidate schemes referred to in paragraph 1 of this Article, shall consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide with the assistance and expert advice required by in relation to the preparation of the candidate scheme, including by providing opinions where necessary. The, based on the candidate scheme proposed by, may adopt implementing acts, in accordance with Article 55(1 ), providing for European cybersecurity certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. detailed specification of the cybersecurity requirements against which the specific ICT products and services are evaluated, for example by reference to Union or international standards or technical specifications; When preparing candidate schemes referred to in paragraph 1 of this Article, shall define the security objectives (see Art. 45), assurance levels (see Art. 46), and elements (see Art. 47) of the candidate scheme. All aspects regarding the procedures of the conformity assessment will be defined by the in a second step, based on s findings. In doing so, shall work closely together with the industry stakeholder group and consult all relevant stakeholders and closely cooperate with the Group. The Group shall provide with the assistance and expert advice required by in relation to the preparation of the candidate scheme, including by providing opinions where necessary. The, based on the candidate scheme proposed by, may adopt implementing acts, in accordance with Article 5 of Regulation (EU) No 182/2011, providing for European cybersecurity conformity and certification schemes for ICT products and services meeting the requirements of Articles 45, 46 and 47 of this Regulation. The implementing acts shall contain information based on the council decision (768/2008/EC) about what type of conformity assessment should be chosen for the scheme. The type of conformity assessment shall be chosen in accordance with the criteria given in Article 4 of Council Decision 768/2008/EC. detailed specification of the cybersecurity requirements against which the specific ICT development and maintenance processes are evaluated, for example by reference to Union or international standards or technical specifications. In relation to the technical requirements and evaluation procedures, the schemes shall, whenever possible, make use of existing standards and shall not develop the technical standards themselves. Note: In the case of referencing European standards, these are published by the European standardisation organisations and endorsed by the European by publication in the Official Journal (see Regulation 1025/2012). Art. 47 (c) where applicable, one or more assurance levels where applicable, one or more assurance levels and type of conformity assessment Art. 47 (d) Art. 48 (3) specific evaluation criteria and methods used, including types of evaluation, in order to demonstrate that the specific objectives referred to in Article 45 are achieved; A European cybersecurity certificate pursuant to this Article shall be issued by the conformity assessment bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity certification scheme, adopted pursuant to Article 44. specific evaluation criteria and methods used, including types of evaluation, in order to demonstrate that the specific objectives referred to in Article 45 are achieved. Whenever possible for criteria and methods, the schemes shall make use of existing standards and shall not develop the criteria and methods themselves. A European cybersecurity conformity and certification certificate pursuant to this Article shall be issued by the bodies referred to in Article 51 on the basis of criteria included in the European cybersecurity conformity and certification scheme, adopted pursuant to Article 44. 7
8 Comments by the electrical industry on the EU Cybersecurity Act German Electrical and Electronic Manufacturers Association Lyoner Strasse Frankfurt am Main, Germany Contact: Lukas Linke Phone: linke@zvei.org January November 2017 BY NC SA Content in this booklet is licensed under an Creative Commons attribution noncommercial, 4.0 international licence. 8
ENISA s Position on the NIS Directive
ENISA s Position on the NIS Directive 1 Introduction This note briefly summarises ENISA s position on the NIS Directive. It provides the background to the Directive, explains its significance, provides
More informationCEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''
CEN Identification number in the EC register: 63623305522-13 CENELEC Identification number in the EC register: 58258552517-56 CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''
More informationCommittee on the Internal Market and Consumer Protection
European Parliament 2014-2019 AMDMTS: 12 Regulation on ISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) s created with Go to http://www.at4am.ep.parl.union.eu \000000.doc United in diversity
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 18/EN WP261 Article 29 Working Party Draft Guidelines on the accreditation of certification bodies under Regulation (EU) 2016/679 Adopted on 6 february 2018 1 THE
More informationGuidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)
Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) Adopted on 4 December 2018 Adopted 1 Contents 1 Introduction... 3 2
More informationCybersecurity eit. Software. Certification. Industrial Security Embedded System
Statement Benefits and limitations of certifications and labels in the context of cyber security Arguments for a balance between customer information and industrial suitability Industrial Security Embedded
More informationNew cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017
in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017 European Union Agency for Network and Information Security Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM
More informationThe EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018
The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018 European Union Agency for Network and Information Security Outline 1. Cybersecurity
More informationDECISION OF THE EUROPEAN CENTRAL BANK
L 74/30 Official Journal of the European Union 16.3.2013 DECISIONS DECISION OF THE EUROPEAN CENTRAL BANK of 11 January 2013 laying down the framework for a public key infrastructure for the European System
More informationThe emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18
The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18 European Union Agency for Network and Information Security
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)
COUNCIL OF THE EUROPEAN UNION Brussels, 24 May 2013 Interinstitutional File: 2013/0027 (COD) 9745/13 TELECOM 125 DATAPROTECT 64 CYBER 10 MI 419 CODEC 1130 NOTE from: Presidency to: Delegations No. Cion
More information***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)
European Parliament 2014-2019 Committee on Industry, Research and Energy 2017/0225(COD) 27.3.2018 ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council on ISA,
More informationA comprehensive approach on personal data protection in the European Union
A comprehensive approach on personal data protection in the Justice Date 1 Main legal instruments on EU level Data Protection Directive 95/46/EC Directive 2002/58/EC on privacy and electronic communications
More informationCybersecurity Policy in the EU: Security Directive - Security for the data in the cloud
Cybersecurity Policy in the EU: The Network and Information Security Directive - Security for the data in the cloud Microsoft Commitment to Cybersecurity Security at the heart of our products and services
More informationVdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe
Author Date VdTÜV-WG Cybersecurity October, 3 rd 2015 VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe VdTÜV e.v. welcomes the Communication on a
More informationeidas Regulation (EU) 910/2014 eidas implementation State of Play
eidas Regulation (EU) 910/2014 eidas implementation State of Play CA-Day 19 September 2016 Elena Alampi DG CONNECT, European Commission elena.alampi@ec.europa.eu eidas The Regulation in a nutshell 2 MAIN
More informationENISA EU Threat Landscape
ENISA EU Threat Landscape 24 th February 2015 Dr Steve Purser ENISA Head of Department European Union Agency for Network and Information Security www.enisa.europa.eu Agenda ENISA Areas of Activity Key
More informationACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS
ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS Accreditation is continuously gaining recognition as an important technical tool in the delivery of objectives across an increasing range of policy
More informationResilience, Deterrence and Defence: Building strong cybersecurity for the EU
Resilience, Deterrence and Defence: Building strong cybersecurity for the EU 1 Building strong cybersecurity for the EU: Resilience, Deterrence and Defence From reactive to pro-active and cross-policy
More informationEuropean Union Agency for Network and Information Security
Critical Information Infrastructure Protection in the EU Evangelos Ouzounis Head of Secure Infrastructure and Services Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European Union Agency
More informationSTANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?
ETSI SUMMIT Releasing the Flow Data Protection and Privacy in a Data-Driven Economy 19 April 2018 STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL? Presented by
More informationGuidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 Adopted on 25 May 2018 Contents 1. Introduction... 2 1.1. Scope
More informationGuidelines for Interface Publication Issue 3
Editorial Note : These Guidelines are based on the OFTEL Guidelines Issue 2, which provided guidance on interface publication under the R&TTE Directive. They have now been amended to reflect the terminology
More informationThe Accreditation and Verification Regulation - Verification report
EUROPEAN COMMISSION DIRECTORATE-GENERAL CLIMATE ACTION Directorate A - International and Climate Strategy CLIMA.A.3 - Monitoring, Reporting, Verification Guidance Document The Accreditation and Verification
More informationCONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE
CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT 2018 18-19 APRIL, SKOPJE CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT 2018 At the Trieste Western Balkans Summit, we stressed the importance of the
More informationENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens
ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens 30.01.2018 European Union Agency for Network and Information Security What are these symbols anyway?
More informationITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles
ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability Session 2: Conformity Assessment Principles 12-16 October 2015 Beijing, China Keith Mainwaring ITU Expert Agenda 1. Context
More informationPackage of initiatives on Cybersecurity
Package of initiatives on Cybersecurity Presentation to Members of the IMCO Committee Claire Bury Deputy Director-General, DG CONNECT Brussels, 12 October 2017 Building EU Resilience to cyber attacks Creating
More information***I DRAFT REPORT. EN United in diversity EN. European Parliament 2018/0328(COD)
European Parliament 2014-2019 Committee on Industry, Research and Energy 2018/0328(COD) 7.12.2018 ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council establishing
More informationSector Vision for the Future of Reference Standards
The Group of Representative Bodies (GRB) The Sector Forum Rail (SFR) Sector Vision for the Future of s Brussels, 13 th July 2018 Sector Vision for Future of s 13 th July 2018 Page 1 of 6 Scope of position
More informationMOTION FOR A RESOLUTION
European Parliament 2014-2019 Plenary sitting B8-0155/2019 6.3.2019 MOTION FOR A RESOLUTION to wind up the debate on the statements by the Council and the Commission pursuant to Rule 123(2) of the Rules
More informationCOMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document
EUROPEAN COMMISSION Strasbourg, 7.2.2013 SWD(2013) 31 final COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT Accompanying the document Proposal for a Directive of the European
More informationHow the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015
How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015 Claudia Prettner, Unit for Health and Well-Being, DG CONNECT Table of
More informationETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)
ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive) July 2013 Executive Summary ETNO supports the European Commission s global approach to cyber-security
More informationICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability
ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability Prof. Dr. Paolo Balboni Founding Partner Professor of Privacy, Cybersecurity, and IT Contract
More informationNIS Standardisation ENISA view
NIS Standardisation ENISA view Dr. Steve Purser Brussels, 19 th September 2017 European Union Agency for Network and Information Security Instruments For Improving Cybersecurity Policy makers have a number
More informationEuropean Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market
European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market Gérard GALLER Policy Officer European Commission -
More informationSecurity and resilience in Information Society: the European approach
Security and resilience in Information Society: the European approach Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu What s s ahead: mobile ubiquitous environments
More informationCooperation with other Certification Systems
ISCC 254 Cooperation with other Certification Systems Cooperation with other Certification Systems ISCC 11-01-14 V 1.16 11-01-14 Copyright notice ISCC 2010 This ISCC document is protected by copyright.
More informationEUROPEAN ACCREDITATION LEGAL FRAMEWORK
EUROPEAN ACCREDITATION LEGAL FRAMEWORK ECIBC Plenary 2016 Ed Wieles 24 November 2016 CONTENTS European model on Accreditation Requirements for Accreditation bodies Harmonised standards for accreditation
More informationcybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services
Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services European Union Agency for Network and Information Security Securing Europe s Information society 2
More informationRevised November EFESC Handbook
Revised November 2015 EFESC Handbook 1 Table of Contents EFESC Handbook... 1 Table of Contents... 2 Handbook EFESC... 4 1 Background and objectives... 4 1.1 Sectoral developments... 4 1.1 Objectives...
More informationENISA Cooperation in the EU / NIS Directive
ENISA Cooperation in the EU / NIS Directive Paulo Empadinhas Head of Administration & Stakeholders Relations IT STAR Milan, Italy 28 th October 2016 European Union Agency for Network and Information Security
More informationEISAS Enhanced Roadmap 2012
[Deliverable November 2012] I About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its Member States, the private
More information10007/16 MP/mj 1 DG D 2B
Council of the European Union Brussels, 9 June 2016 (OR. en) 10007/16 OUTCOME OF PROCEEDINGS From: On: 9 June 2016 To: General Secretariat of the Council Delegations No. prev. doc.: 9579/16 + COR 1 Subject:
More informationEDPB Certification Guidelines
EDPB Certification Guidelines Public Consultation: Comments submitted by SCOPE Europe bvba/sprl Published and Submitted: 10. July 2018 1 About SCOPE Europe sprl SCOPE Europe is a subsidiary of Selbstregulierung
More informationINSPIRE status report
INSPIRE Team INSPIRE Status report 29/10/2010 Page 1 of 7 INSPIRE status report Table of contents 1 INTRODUCTION... 1 2 INSPIRE STATUS... 2 2.1 BACKGROUND AND RATIONAL... 2 2.2 STAKEHOLDER PARTICIPATION...
More informationRESOLUTION 45 (Rev. Hyderabad, 2010)
212 RESOLUTION 45 (Rev. Hyderabad, 2010) The World Telecommunication Development Conference (Hyderabad, 2010), recalling a) Resolution 45 (Doha, 2006) of the World Telecommunication Development Conference
More informationInternational Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018
International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018 Dr. Dennis-Kenji Kipker University of Bremen Washington DC, 10.04.2018 Gefördert vom FKZ: 16KIS0213 bis 16KIS0216 Slide
More informationSAS Rules for Accreditation Purposes in the context of Notification - Designation of Conformity Assessment Bodies (CAB)
Federal Department of Economic Affairs, Education and Research EAER State Secretariat for Economic Affairs SECO Swiss Accreditation Service SAS SAS Rules for Accreditation Purposes in the context of Notification
More informationDAkkS Who we are. Attesting competence, Assuring quality, Creating confidence.
DAkkS Who we are Attesting competence, Assuring quality, Creating confidence. What is accreditation? Reliability through conformity assessment The demands on the quality of goods and services are growing
More informationThe GDPR and NIS Directive: Risk-based security measures and incident notification requirements
The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017 Introduction Adrian Ross GRC consultant
More informationWeb-Accessibility as a human right
Web-Accessibility as a human right EESC Hearing on Accessibility as a Human Right Jun 4, 2013 Joost van der Vleuten European Commission / DG CONNECT Digital Agenda for Europe on Web- Acessibility DAE Action
More information13967/16 MK/mj 1 DG D 2B
Council of the European Union Brussels, 4 November 2016 (OR. en) 13967/16 'I/A' ITEM NOTE From: To: General Secretariat of the Council No. prev. doc.: 11911/3/16 REV 3 No. Cion doc.: 11013/16 Subject:
More informationConformity assessment
Training Course on Conformity and Interoperability, Tunis-Tunisia, from 22 to 26 May 2017 Conformity assessment Presented by: Karim Loukil & Kaïs Siala Page 1 Today s Objectives Present basic information
More informationBrussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER
COUNCIL OF THE EUROPEAN UNION Brussels, 19 May 2011 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66 NOTE From : COREPER To: COUNCIL No Cion. prop.: 8548/11 TELECOM 40 DATAPROTECT 27 JAI 213 PROCIV38
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More informationehealth Network ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding
ehealth Network Governance model for the ehealth Digital Service Infrastructure during the CEF funding 1 The ehealth Network is a voluntary network, set up under article 14 of Directive 2011/24/EU. It
More informationWhite Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security
White Paper The Impact of Payment Services Directive II (PSD2) on Authentication & Security First Edition June 2016 Goode Intelligence All Rights Reserved Published by: Goode Intelligence Sponsored by:
More informationThe commission communication "towards a general policy on the fight against cyber crime"
MEMO/07/199 Brussels, 22 May 2007 The commission communication "towards a general policy on the fight against cyber crime" The use of the term cyber crime in this communication There is no agreed definition
More informationEU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017
EU Cloud Computing Policy Luis C. Busquets Pérez 26 September 2017 The digital revolution is built on data Most economic activity will depend on data within a decade Potential of the data-driven economy
More informationSERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?
WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...
More informationR e a c t i o n s t o t h e e - I n v o i c i n g r e p o r t o f t h e EU- E x p e r t g r o u p
Seite 1 von 6 Re: R e a c t i o n s t o t h e e - I n v o i c i n g r e p o r t o f t h e EU- E x p e r t g r o u p General assessment 1. Do you agree with the report s assessment, conclusions and recommendations?
More informationKick-off Meeting DPIA Test phase
Kick-off Meeting DPIA Test phase Directorate General for European Commission Brussels, 05/03/2015 Content Welcome and Introduction Upcoming Data Protection Reform Commission Recommendation Test Phase of
More informationGuidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 Adopted on 23 January 2019 1 Table of contents 1.1 Scope of the
More informationMandate to CEN, CENELEC and ETSI for Standardisation in the field of electric motors
Ref. Ares(2010)367759-25/06/2010 EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR ENERGY Directorate C - New and renewable sources of energy, Energy efficiency & Innovation C.3 - Energy efficiency of products
More informationCybersecurity Package
Cybersecurity Package Highlights of key initiatives Domenico Ferrara Policy officer @ DG CONNECT Brussels, 12 December 2017 1 2013-2017: Evolving threat landscape Proliferation of (poorly secured) IoT
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationNATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -
NATIONAL CYBER SECURITY STRATEGY - Version 2.0 - CONTENTS SUMMARY... 3 1 INTRODUCTION... 4 2 GENERAL PRINCIPLES AND OBJECTIVES... 5 3 ACTION FRAMEWORK STRATEGIC OBJECTIVES... 6 3.1 Determining the stakeholders
More informationAlberta Reliability Standards Compliance Monitoring Program. Version 1.1
Version 1.1 Effective: January 14, 2011 Table of Contents 1. Introduction... 1 2. Purpose... 1 3. Applicability... 1 4. Definitions... 1 5. Compliance Monitoring Overview... 2 6. Monitoring Tools... 1
More informationInternet copy. EasyGo security policy. Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement
EasyGo security policy Annex 1.3 to Joint Venture Agreement Toll Service Provider Agreement This copy of the document was published on and is for information purposes only. It may change without further
More informationFOR QTSPs BASED ON STANDARDS
THE EU CYBER SECURITY AGENCY FOR QTSPs BASED ON STANDARDS Technical guidelines on trust services DECEMBER 2017 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre
More informationRegulation for the accreditation of product Certification Bodies
Title Reference Regulation for the accreditation of product Certification Bodies RG-01-03 Revision 00 Date 2014-04-14 Preparation Approval Authorization of issue Application date Director of the Dept.
More informationGeneral Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of
General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General
More informationLAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»
April 27\ 99 Draft LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION» This Law shall establish legal basis of certification of products, quality systems and production, (further processes), works and
More informationToward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization
Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization www.jrc.ec.europa.eu Serving society Stimulating innovation Supporting legislation The Mission of the Joint Research
More informationMemo on Stakeholder Consultation on Article 10(2) of Directive 2012/19/EU
Memo on Stakeholder Consultation on Article 10(2) of Directive 2012/19/EU To: From: Norbert Zonneveld CC: Date: 29 October 2014 Background On 17 October 2014 EERA was invited by the Directorate General
More informationReport of the Working Group on mhealth Assessment Guidelines February 2016 March 2017
Report of the Working Group on mhealth Assessment Guidelines February 2016 March 2017 1 1 INTRODUCTION 3 2 SUMMARY OF THE PROCESS 3 2.1 WORKING GROUP ACTIVITIES 3 2.2 STAKEHOLDER CONSULTATIONS 5 3 STAKEHOLDERS'
More informationGeneral Framework for Secure IoT Systems
General Framework for Secure IoT Systems National center of Incident readiness and Strategy for Cybersecurity (NISC) Government of Japan August 26, 2016 1. General Framework Objective Internet of Things
More informationDATA PROCESSING TERMS
DATA PROCESSING TERMS Safetica Technologies s.r.o. These Data Processing Terms (hereinafter the Terms ) govern the rights and obligations between the Software User (hereinafter the User ) and Safetica
More informationExploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know
Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know Aristotelis Tzafalias Programme Officer, Trust and Security DG Communications Networks,
More informationHarmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT
Harmonisation of Digital Markets in the EaP Vassilis Kopanas European Commission, DG CONNECT vassilis.kopanas@ec.europa.eu The cost of non-europe European Parliament Research Study, March 2014 Fully realising
More informationEU policy on Network and Information Security & Critical Information Infrastructures Protection
EU policy on Network and Information Security & Critical Information Infrastructures Protection Köln, 10 March 2011 Valérie ANDRIANAVALY European Commission Directorate General Information Society and
More informationDraft Resolution for Committee Consideration and Recommendation
Draft Resolution for Committee Consideration and Recommendation Committee A: Security and Transparency in a Digital Environment The General Assembly; Draft Resolution Submitted for revision by the delegations
More informationIntroduction. Content. Training Course NAA Inspectors Training Course - Initial Airworthiness. Location(s) / Date(s) List price September 2019
Training Course NAA Inspectors Training Course - Initial Airworthiness Location(s) / Date(s) Hoofddorp, 11-13 February 2019 Netherlands 17-19 September 2019 List price 1290.00 Introduction EU Regulation
More informationEconomic and Social Council
United Nations Economic and Social Council ECE/TRANS/WP.29/2017/46 Distr.: General 23 December 2016 Original: English Economic Commission for Europe Inland Transport Committee World Forum for Harmonization
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationUSING STANDARDS TO ASSESS THE COMPETENCE OF CONFORMITY
Ref. Ares(2014)2675967-13/08/2014 EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL Regulaty policy Regulaty Approach f the free movement of goods NOTE TO THE SENIOR OFFICIALS GROUP ON STANDARDISATION
More informationSection I. GENERAL PROVISIONS
LAW OF THE RUSSIAN FEDERATION NO. 5151-1 OF JUNE 10, 1993 ON CERTIFICATION OF PRODUCTS AND SERVICES (with the Additions and Amendments of December 27, 1995, March 2, July 31, 1998) Federal Law No. 154-FZ
More information13543/17 PhL/at 1 DG G 3 B
Council of the European Union Brussels, 24 October 2017 (OR. en) 13543/17 UD 239 NOTE From: To: General Secretariat of the Council Permanent Representatives Committee/Council No. prev. doc.: ST 12287/5/17
More informationTURKISH STANDARDS INSTITUTION
TURKISH STANDARDS INSTITUTION NEW GLOBAL OLD APPROACH REGULATIONS CONFORMITY ASSESSMENT PROCEDURES AND PRINCIPLES Board Decision : 29.04.2014 Date 50.-236 Validity date : 05.05.2014 CHAPTER ONE Objective,
More informationEUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA
Ref. Ares(2011)514527-12/05/2011 EUROPEAN COMMISSION DIRECTORATE-GENERAL INFORMATION SOCIETY AND MEDIA Electronic Communications Policy Implementation of Regulatory Framework (I) Brussels, 6th May 2011
More informationCRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS
CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS Approved By: Executive: Accreditation: Mpho Phaloane Revised By: RBI STC Working Group Members Date
More informationMozilla position paper on the legislative proposal for an EU Cybersecurity Act
Mozilla position paper on the legislative proposal for an EU Cybersecurity Act Enhancing cybersecurity through government vulnerability disclosure I. INTRODUCTION This paper provides an overview of Mozilla
More informationRESOLUTION 130 (REV. BUSAN, 2014)
RESOLUTION 130 (REV. BUSAN, 2014) Strengthening the role of ITU in building confidence and security in the use of information and communication technologies The Plenipotentiary Conference of the International
More informationConformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant
Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Standardization Bureau (TSB) Consultant Moscow, 9-11 november 2011 Contents The benefits of conformity assessment Conformity
More informationJOINT MOTION FOR A RESOLUTION
European Parliament 2014-2019 Plenary sitting B8-0154/2019 } B8-0155/2019 } B8-0159/2019 } B8-0160/2019 } RC1 8.3.2019 JOINT MOTION FOR A RESOLUTION pursuant to Rule 123(2) and (4) of the Rules of Procedure
More informationEUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION
EUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION RESOURCES AND SUPPORT DIRECTORATE Management of Technical Infrastructure Brussels, 23 January 2013 M/516 EN Ref. Ares(2013)136537-04/02/2013 REQUEST
More informationThe Role of the Data Protection Officer
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services
More informationCouncil of the European Union Brussels, 23 November 2016 (OR. en)
Conseil UE Council of the European Union Brussels, 23 November 2016 (OR. en) 13323/1/16 REV 1 LIMITE PUBLIC DAPIX 173 ENFOPOL 349 ENFOCUSTOM 163 COSI 156 GENVAL 107 AVIATION 210 NOTE From: To: Subject:
More information